nv-l
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [NV-L] Root access

from [Leslie Clark] [Permanent Link][Original]
To: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Subject: RE: [NV-L] Root access
From: Leslie Clark <lclark@us.ibm.com>
Date: Mon, 14 May 2007 10:01:05 -0400
Delivery-date: Mon, 14 May 2007 15:10:03 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
In-reply-to: <4B7EE6C5FCFF304D9A1880844C82AE4602151889@na1fcm08.dearborn.ford.com>
List-help: <mailto:nv-l-request@lists.ca.ibm.com?subject=help>
List-id: Tivoli NetView Discussions <nv-l.lists.ca.ibm.com>
List-post: <mailto:nv-l@lists.ca.ibm.com>
List-subscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=subscribe>
List-unsubscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=unsubscribe>
Reply-to: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Sender: nv-l-bounces@lists.ca.ibm.com

The Precision product and its pre-coreqs generally require root for installation and configuration. However, they can be configured to run (mostly) as a non-root account, and can then be administered (stop/started, etc) by a non-root account.  Certain changes that involve the operating system would of course need to be made by root, but generally speaking, the files can be owned by the non-root account.  This is understood by development to be a good thing, and changing it has not been in any of the futures that I have seen.  

Changing Netview on the otherhand, while it was understood to be a good thing, was never feasible since the product had been designed to be run that way from day one.

Cordially,

Leslie A. Clark
IT Services Specialist, Network Mgmt
Information Technology Services Americas
IBM Global Services
(248) 552-4968 Voicemail, Fax, Pager


"Kain, Becki \(B.\)" <bkain1@ford.com>
Sent by: nv-l-bounces@lists.ca.ibm.com

05/14/2007 09:48 AM
Please respond to
Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
To
"Tivoli NetView Discussions" <nv-l@lists.ca.ibm.com>
cc
Subject
RE: [NV-L] Root access





sudo will not work on some *nix'es because the ability to bring in libraries is turned off for security reasons.  Had Netview been compiled as static, and not dynamic, this would not be an issue.
 
Netcool, afaik, does not require root.  Is IBM going to change it so that it will, based on your second paragraph?
 
 

From: nv-l-bounces@lists.ca.ibm.com [mailto:nv-l-bounces@lists.ca.ibm.com] On Behalf Of James Shanks
Sent: Monday, May 14, 2007 9:36 AM
To: Tivoli NetView Discussions
Subject: RE: [NV-L] Root access

Perhaps addtrap does core under some conditions under sudo, though offhand I don't know why that should be. addtrap is looking for a uid of 0 and will exit if that's not the user id of the user who invoked it. I don't know whether sudo on Linux provides a uid of zero or not. Really I have no idea how sudo actually works.

I have no suggestions for how to avoid using root, but I think this issue stems largely from the fact that most UNIX admins are ignorant of the power of NetView. If you let a non-root user configure traps in NetView, then you have given him or her complete authority to do anything they like. All you have to do is configure trapd.conf, with addtrap or xnmtrap or even vi if you know what you are doing, to execute any script you write or any command you like for the Node Up trap and then issue "event" from the command line. The default event is "Node Up" and when trapd gets it, he will dutifully issue that command, and since he has root authority, he becomes the slave of whomever has the power to configure him. So addtrap is a powerful tool that will let whomever has the authority to use it, alter the system in any way they like. This should not be news to any experienced NetView admin, and has been posted in this forum before.

Warning! Personal opinion follows. <soapbox >
The decision not to give the NetView admin root access is purely political; it has no technical basis. It just a matter of corporate turf wars, "You aren't in our group so you can't have access." IBM's position, so far as I know, still remains that the NetView administrator should be the UNIX admin for the NetView box, and that companies should align their political boundaries with what works not with some arbitrary org chart.
</soapbox off>

James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Network Availability Management
Network Management - Development
Tivoli Software, IBM Corp
Inactive hide details for "Kain, Becki \(B.\)" <bkain1@ford.com>"Kain, Becki \(B.\)" <bkain1@ford.com>
"Kain, Becki \(B.\)" <bkain1@ford.com>
Sent by: nv-l-bounces@lists.ca.ibm.com

05/14/2007 09:05 AM
Please respond to
Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>

To

"Tivoli NetView Discussions" <nv-l@lists.ca.ibm.com>

cc

Subject

RE: [NV-L] Root access




Yes, but in my experiences, sudo does not work for all commands (addtrap, for one, core dumps on it)

From: nv-l-bounces@lists.ca.ibm.com [mailto:nv-l-bounces@lists.ca.ibm.com] On Behalf Of Evans, Bill
Sent: Friday, May 11, 2007 5:02 PM
To: Tivoli NetView Discussions
Subject: RE: [NV-L] Root access

I don't think there is a technical explanation or a problem. It's just some fuzzy wording left over from long ago when only "root" had "root" authority. It's been a couple months since we put a test instance of NV 7.1.5 in place on RH 4 and my memory may not be working well, but as I remember it ...

The character string "root" is meaningless. The authority is the key. I log into the system where NetView will reside with my normal user connection then so a SUDO to get administrator (root) authority, change directory to where I've copied my media from the disks ( /usr/NV_media/NV-Base-715/BASE_CD/NetView) and proceed to issue the "./instalnv -k SERVER [-u] [-q]" command.

"Real soon now" we'll be putting 7.1.5 into production. It's been working well on the test machine. Our system support group is busily removing unused packages and tying up security threads on the RH 4 install so we can proceed.

Bill Evans
From: nv-l-bounces@lists.ca.ibm.com [mailto:nv-l-bounces@lists.ca.ibm.com] On Behalf Of REAMD@nationwide.com
Sent: Friday, May 11, 2007 10:08 AM
To: Tivoli NetView Discussions
Subject: [NV-L] Root access


Hi All,
Can someone please provide me a technical explanation as to why you need to be logged on as 'root' to install Netview? I currently have a new Solaris 10 box that Im going to load Netview 7.1.5 on and my Unix team does not want to give me the root password. They have given me 'sudo root' and with sudo you already have the same level of access as the Unix Systems Administrators and can grab a root shell as needed. The only location the root user can log into a server is on the serial console. Ssh into the server as root and running the su command will not work per the ITRM Unix security template.

Thanks, Dave _______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only)
_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only)
 
_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [NV-L] Root access, Kain, Becki \(B.\)
Next by Date:  Re: [NV-L] Predefined configurations from SNMP Collector NOT showing, James Shanks
Previous by Thread:  RE: [NV-L] Root access, Kain, Becki \(B.\)
Next by Thread:  [NV-L] Predefined configurations from SNMP Collector NOT showing, Mario Behring
Indexes:  [Date] [Thread] [Top] [All Lists]

Archive operated by Skills 1st Ltd

See also: The NetView Web